Alex Chantavy achantavy

## supply-chain.cypher
// TODO: Adapt to show the _FULL_ list here: https://github.com/Cobenian/shai-hulud-detect/blob/main/compromised-packages.txt

WITH [
  { name: 'ansi-regex', version: '6.2.1' },
  { name: 'ansi-styles', version: '6.2.2' },
  { name: 'backslash', version: '0.2.1' },
  { name: 'chalk', version: '5.6.1' },
  { name: 'chalk-template', version: '1.1.1' },
  { name: 'color-convert', version: '3.1.1' },
  { name: 'color-name', version: '2.0.1' },

## cartography-npm-debug-chalk.cypher
// https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
// Note: this is a starting point. Verify with the version numbers in the article above.
// You can update the WHERE clause below with `d.requirements CONTAINS "x.y.z"`
MATCH (d:Dependency)--(r:GitHubRepository)
WHERE d.ecosystem = 'npm'
  AND d.name IN ['backslash','chalk-template','supports-hyperlinks','has-ansi','simple-swizzle','color-string','error-ex','color-name','is-arrayish','slice-ansi','color-convert','wrap-ansi','ansi-regex','supports-color','strip-ansi','chalk','debug','ansi-styles']
RETURN d.name, d.requirements, d.manifest_file, r.id

## dangling-eips.cypher
// github.com/lyft/cartography

// Get all A records
MATCH (dns:AWSDNSRecord{type:"A"})
// See which ones map to EIPs that are in our inventory
OPTIONAL MATCH (e:ElasticIPAddress{id: dns.value})

// Do some data massaging, variable renaming
WITH dns.name AS dns_name, dns.value AS dns_value, e.id AS eip
// Return only DNS names that **don't** map back to an EIP that we know about

## sync_multiple_accounts_sketch.py
    for profile_name, account_id in accounts.items():
        logger.info("Syncing AWS account with ID '%s' using configured profile '%s'.", account_id, profile_name)
        common_job_parameters["AWS_ID"] = account_id
        boto3_session = boto3.Session(profile_name=profile_name)

        _autodiscover_accounts(neo4j_session, boto3_session, account_id, sync_tag, common_job_parameters)

        try:
            _sync_one_account(
                neo4j_session,

## envoy-neo4j-tcp-proxy.yaml
static_resources:
  listeners:
  - name: www
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 10000
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager

## aws_access_key_fix_sketch.py
# Change [this](https://github.com/lyft/cartography/blob/4a60653d5f343c95867e198d8c43b05e049f35b4/cartography/intel/aws/iam.py#L625-L631)
# to this:

for name in usernames;
    account_access_key = get_account_access_key_data(boto3_session, name)
    load_user_access_keys(neo4j_session, account_access_key, aws_update_tag)
    run_cleanup_job(
        'aws_import_account_access_key_cleanup.json',
        neo4j_session,
        common_job_parameters,

## graphql-cartography-sketch.py
query = """
        query($login: String!, $after: String) {
        organization(login: $login)
            {
                membersWithRole(first:100, after: $after){
                    edges {
                        cursor
                        hasTwoFactorEnabled
                        node {
                            login
	// TODO: Adapt to show the _FULL_ list here: https://github.com/Cobenian/shai-hulud-detect/blob/main/compromised-packages.txt

	WITH [
	{ name: 'ansi-regex', version: '6.2.1' },
	{ name: 'ansi-styles', version: '6.2.2' },
	{ name: 'backslash', version: '0.2.1' },
	{ name: 'chalk', version: '5.6.1' },
	{ name: 'chalk-template', version: '1.1.1' },
	{ name: 'color-convert', version: '3.1.1' },
	{ name: 'color-name', version: '2.0.1' },
	// https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
	// Note: this is a starting point. Verify with the version numbers in the article above.
	// You can update the WHERE clause below with `d.requirements CONTAINS "x.y.z"`
	MATCH (d:Dependency)--(r:GitHubRepository)
	WHERE d.ecosystem = 'npm'
	AND d.name IN ['backslash','chalk-template','supports-hyperlinks','has-ansi','simple-swizzle','color-string','error-ex','color-name','is-arrayish','slice-ansi','color-convert','wrap-ansi','ansi-regex','supports-color','strip-ansi','chalk','debug','ansi-styles']
	RETURN d.name, d.requirements, d.manifest_file, r.id
	// github.com/lyft/cartography

	// Get all A records
	MATCH (dns:AWSDNSRecord{type:"A"})
	// See which ones map to EIPs that are in our inventory
	OPTIONAL MATCH (e:ElasticIPAddress{id: dns.value})

	// Do some data massaging, variable renaming
	WITH dns.name AS dns_name, dns.value AS dns_value, e.id AS eip
	// Return only DNS names that don't map back to an EIP that we know about
	for profile_name, account_id in accounts.items():
	logger.info("Syncing AWS account with ID '%s' using configured profile '%s'.", account_id, profile_name)
	common_job_parameters["AWS_ID"] = account_id
	boto3_session = boto3.Session(profile_name=profile_name)

	_autodiscover_accounts(neo4j_session, boto3_session, account_id, sync_tag, common_job_parameters)

	try:
	_sync_one_account(
	neo4j_session,
	static_resources:
	listeners:
	- name: www
	address:
	socket_address:
	address: 0.0.0.0
	port_value: 10000
	filter_chains:
	- filters:
	- name: envoy.filters.network.http_connection_manager
	# Change [this](https://github.com/lyft/cartography/blob/4a60653d5f343c95867e198d8c43b05e049f35b4/cartography/intel/aws/iam.py#L625-L631)
	# to this:

	for name in usernames;
	account_access_key = get_account_access_key_data(boto3_session, name)
	load_user_access_keys(neo4j_session, account_access_key, aws_update_tag)
	run_cleanup_job(
	'aws_import_account_access_key_cleanup.json',
	neo4j_session,
	common_job_parameters,
	query = """
	query($login: String!, $after: String) {
	organization(login: $login)
	{
	membersWithRole(first:100, after: $after){
	edges {
	cursor
	hasTwoFactorEnabled
	node {
	login